home *** CD-ROM | disk | FTP | other *** search
- December 1995
- Revision 10
- JPO# 95-432
-
-
- The CERT(sm) Coordination Center FAQ
-
-
- =======================================================================
- = Preface =
- =======================================================================
-
- This document is intended to answer the most Frequently Asked Questions (FAQs)
- about the CERT Coordination Center. The FAQ is a dynamic document that will
- change as information changes. Suggestions for additional sections are
- welcome -- please email them to cert@cert.org. The most recent copy of this
- FAQ is available from
- ftp://info.cert.org/pub/
- http://www.sei.cmu.edu/technology/cert.cc.html
-
- Questions answered in this document
-
- A. Introduction to the CERT Coordination Center
- A1. What is the CERT Coordination Center?
- A2. How do I contact the CERT Coordination Center?
- A3. Where can I find online information about the CERT Coordination
- Center?
- A4. What's in the CERT Coordination Center name?
-
- B. Where to go for information
- B1. What is a CERT advisory?
- B2. Where can I obtain archived CERT advisories?
- B3. Can I obtain source code to a patch described in a CERT
- advisory?
- B4. What other alerts does the CERT Coordination Center publish?
- B5. What mailing lists does the CERT Coordination Center offer?
- B6. What information is available via anonymous FTP from the
- CERT Coordination Center?
- B7. What presentations, workshops, and seminars does the CERT
- Coordination Center offer?
- B8. Where can I get information about firewalls?
- B9. Where can I get information about viruses?
- B10 What other online information sources does the CERT Coordination
- Center recommend?
- B11. What books or articles does the CERT Coordination Center
- recommend?
-
- C. Incident Response
- C1. What kind of information should I provide to the CERT
- Coordination Center when my site has experienced an intrusion?
-
-
- =======================================================================
- = Section A. Introduction to the CERT Coordination Center =
- =======================================================================
-
- A1. What is the CERT Coordination Center?
-
- The CERT Coordination Center is the organization that grew from the
- computer emergency response team formed by the Defense Advanced
- Research Projects Agency (DARPA) in November 1988 in response to the
- needs exhibited during the Internet worm incident. The CERT charter
- is to work with the Internet community to facilitate its response to
- computer security events involving Internet hosts, to take proactive
- steps to raise the community's awareness of computer security issues,
- and to conduct research targeted at improving the security of existing
- systems.
-
- CERT products and services include 24-hour technical assistance for
- responding to computer security incidents, product vulnerability
- assistance, technical documents, and seminars. In addition, the team
- maintains a number of mailing lists (including one for CERT
- advisories) and provides an anonymous FTP server, info.cert.org, where
- security-related documents, CERT advisories, and tools are archived.
-
- A2. How do I contact the CERT Coordination Center?
-
- U.S. mail address
- CERT Coordination Center
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh, PA 15213-3890
- U.S.A.
-
- Internet email address
- cert@cert.org
-
- Telephone number
- +1 412-268-7090 (24-hour hotline)
- CERT Coordination Center personnel answer
- 8:30 a.m.- 5:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for
- emergencies during other hours.
-
- FAX number
- +1 412-268-6989
-
- Warning: When sending sensitive information by email, please use
- encryption. The CERT public PGP key is available from
- ftp://info.cert.org/pub/CERT_PGP.key
-
- If you prefer to use DES, please call the CERT hotline to
- exchange DES keys over the phone.
-
-
- A3. Where can I find online information about the CERT Coordination
- Center?
-
- Online information about our work, along with advisories, technical
- tips, and other security information is available from
-
- ftp://info.cert.org/pub/
- http://www.sei.cmu.edu/technology/cert.cc.html
-
- A4. What's in the CERT name?
-
- Since its beginning in 1988, the CERT Coordination Center has acquired
- its name through an evolutionary process. Because of this, you may see
- the CERT Coordination Center referred to by several different names.
- You may hear us called Computer Emergency Response Team,
- or just CERT, but our proper name is the CERT Coordination Center.
-
- CERT(sm) is a service mark of Carnegie Mellon University and should
- not be expanded into an acronym definition or used as a stand-alone
- noun.
-
- The CERT email address has undergone a similar evolution. We use the
- email address
-
- cert@cert.org
-
- Any references to
-
- cert@cert.sei.cmu.edu
- or
- cert@sei.cmu.edu
-
- should be changed to the current address, which is
-
- cert@cert.org
-
-
- =======================================================================
- = Section B. Where To Go for Information =
- =======================================================================
-
- B1. What is a CERT advisory?
-
- A CERT advisory is a document that provides information on how to
- obtain a patch or details of a workaround for a known computer
- security problem. The CERT Coordination Center works with vendors to
- produce a workaround or a patch for a problem, and does not publish
- vulnerability information until a workaround or a patch is available.
- A CERT advisory may also be a warning to our constituency about
- ongoing attacks (e.g., "CA-95:18.widespread.attacks").
-
- CERT advisories are published on the USENET newsgroup
-
- comp.security.announce
-
- and are distributed via the cert-advisory mailing list. Both
- publication methods are described below.
-
-
- B2. Where can I obtain archived CERT advisories?
-
- CERT advisories are available from
-
- ftp://info.cert.org/pub/cert_advisories/
-
- The CA-xx:xx.README file associated with each advisory contains updates
- we receive after the advisory has been released.
-
- The "01-README" file provides a short summary of each advisory.
-
- At the following URL, you can search the advisory list as well as
- link to the FTP archive.
-
- http://www.sei.cmu.edu/technology/cert.cc.html
-
-
- B3. Can I get source code to a patch described in a CERT advisory?
-
- The CERT Coordination Center does not provide source-level patches.
- Some vendors make source-level patches available to their source
- customers while others only distribute binary patches. Contact your
- vendor for more information.
-
-
- B4. What other alerts does the CERT Coordination Center publish?
-
- (a) CERT vendor-initiated bulletins
-
- Vendor-initiated bulletins contain verbatim text from vendors about
- a security problem relating to their products. They include enough
- information for readers to determine whether the problem affects
- them, along with steps readers can take to avoid problems. Our goal
- in creating these bulletins is to help the vendors' security
- information get wide distribution quickly.
-
- CERT vendor-initiated bulletins are distributed the same way as CERT
- advisories. They are sent to the cert-advisory mailing list and
- posted to comp.security.announce. They are archived at
-
- ftp://info.cert.org/pub/cert_bulletins/
-
- (b) CERT Summary
-
- The CERT Summary calls attention to the types of attacks currently
- being reported to the CERT Coordination Center. The summary also
- contains a list of new or updated files in our FTP archive.
-
- Summaries are published 4-6 times a year. Like advisories and
- vendor-initiated bulletins, they are sent to the cert-advisory
- mailing list and posted to comp.security.announce. They are
- archived at
-
- ftp://info.cert.org/pub/cert_summaries/
-
-
- B5. What mailing lists does the CERT Coordination Center offer?
-
- (a) CERT advisory mailing list
-
- The CERT Coordination Center maintains a mailing list for those
- members of our constituency who do not have access to USENET news
- or who would like to have advisories, bulletins, and the CERT
- Summary mailed directly to them or to a mail exploder at their
- site.
-
- If you would like to be added to the CERT mailing list, please
- send email to
-
- cert-advisory-request@cert.org
-
- You will receive confirmation mail when you have been placed on
- the list.
-
- (b) CERT tools mailing list
-
- The purpose of this moderated mailing list is to encourage the
- exchange of information on security tools and techniques. The list
- should not be used for security problem reports.
-
- Note that the CERT Coordination Center does not formally review,
- evaluate, or endorse the tools and techniques described. The
- decision to use a tool or technique is the responsibility of
- each user or organization, and we encourage each organization to
- thoroughly evaluate new tools and techniques before installing
- or using them.
-
- Membership is restricted to system programmers, system
- administrators, and others with a legitimate interest in the
- development of computer security tools. If you would like to be
- considered for inclusion, please send mail to
-
- cert-tools-request@cert.org
-
- You will receive confirmation mail when you have been placed on
- the list.
-
-
- B6. What information is available via anonymous FTP from the CERT
- Coordination Center?
-
- The CERT Coordination Center has a variety of computer security
- information available from ftp://info.cert.org/pub/
-
- The 01-README file contains a short description of each directory, as
- well as the files that are at the /pub level of the FTP area.
-
- The file "ls-lR" lists the subdirectories and the files found in those
- subdirectories. Examples of what you will find in the /pub directory
- are listed below.
-
-
- FIRST/
- This directory contains contact information for members of the
- Forum of Incident Response Teams (FIRST), listed according to the
- constituency they serve. (Additional information on FIRST is
- available from http://www.first.org/first.)
-
- cert_advisories/
- In this directory are all the CERT advisories released since the
- CERT Coordination Center was established in December 1988. README
- files associated with individual advisories contain updated
- information and clarifications.
-
- cert_bulletins/
- This directory contains CERT vendor-initiated bulletins, which we
- started publishing in late 1994. The bulletins include text written
- by vendors about security problems and solutions related to their
- platforms and systems.
-
- ietf/
- This directory contains the output of several Internet Engineering
- Task Force (IETF) working groups. It includes the Site Security
- Handbook (RFC 1244) and Guidelines for the Secure Operation of the
- Internet (RFC 1281).
-
- papers/
- This directory contains postscript (.ps) versions of papers by Bill
- Cheswick, Steve Bellovin, and others, along with the original
- announcement of the cert-tools mailing list.
-
- tech_tips/
- This directory contains practical advice on topics such as
- anonymous FTP configurations and packet filtering. It also contains
- security checklists, which system administrators can use to assess
- and improve the security of their sites.
-
- tools/
- This directory contains software packages such as COPS, Crack, and
- Tripwire. It includes daemon wrappers, virus-detection programs, MD5,
- and the text of RFC 1321.
-
- whois_how_to
- This file contains instructions for using the InterNIC whois databases
- to find the point of contact for an Internet site.
-
-
- B7. What presentations, workshops, and seminars does the CERT
- Coordination Center offer?
-
- (a) Presentations
-
- Throughout the year, members of the CERT Coordination Center give
- presentations at various technical conferences, seminars, and
- regional networks. Periodically, special arrangements can be made
- to tailor presentations to fit the requirements of the specific
- site. For further information regarding presentations, please
- contact the CERT Coordination Center. (Contact information
- is in section A.2.)
-
- (b) Workshops
-
- From 1989 to 1992 the CERT Coordination Center hosted and
- co-sponsored the annual FIRST Workshop on Incident Handling. CERT
- staff has continued to participate in subsequent workshops. For
- further information about the FIRST Workshop on Incident Handling,
- please contact the CERT Coordination Center or refer to
-
- http://www.first.org/first/
-
- (c) Seminars
-
- (1) Internet Security for Managers
-
- Description: This seminar helps managers understand what
- needs to be done to ensure that their computer systems and
- networks are as securely managed as possible when operating
- within the Internet community. Attendees will be provided
- with information that will enable them to formulate realistic
- security policies, procedures, and programs specific to their
- operating environment.
-
- Audience: This seminar is designed for managers of computing
- centers/facilities, individuals tasked to evaluate/initiate
- Internet connectivity, for senior system administrators, and
- for others interested in computer security within the Internet
- community.
-
- (2) Internet Security for System and Network Administrators
-
- Description: The information presented in this seminar is
- based on incidents reported to the CERT Coordination Center.
- Topics include fundamental security practices for UNIX system
- administration, the latest information network security, and
- establishing an appropriate site security policy.
-
- Audience: This seminar is designed for practitioners (UNIX
- system and network administrators) who need to build and
- maintain trustworthy network systems, for UNIX system
- programmers, and for practitioners who evaluate or initiate
- Internet connectivity. Some system administrator experience
- is assumed.
-
-
- B8. Where can I get information about firewalls?
-
- (a) Firewalls mailing list
-
- The Firewalls mailing list is a discussion forum for firewall
- administrators and implementors. To subscribe to Firewalls, send
- mail to
-
- Majordomo@GreatCircle.COM
-
- In the body of the message, put only
-
- subscribe firewalls
-
- (b) Firewalls digest
-
- The Firewalls digest is a compilation of messages from the
- Firewalls mailing list. To subscribe to the Firewalls digest, send
- mail to
-
- Majordomo@GreatCircle.COM
-
- In the body of the message, put only
-
- subscribe firewalls-digest
-
- Compressed back issues are available from
-
- ftp://FTP.GreatCircle.COM/pub/firewalls/digest/
-
-
- B9. Where can I get information about viruses?
-
- (a) VIRUS-L mailing list
-
- VIRUS-L is a moderated mailing list with a focus on computer virus
- issues. For more information, including a copy of the posting
- guidelines, see
-
- ftp://cs.ucr.edu/pub/virus-l/virus-l.README
-
- To be added to the mailing list, send mail to
-
- listserv@lehigh.edu
-
- In the body of the message, put nothing more than
-
- SUB VIRUS-L your name
-
- The current archive site for virus-l is
-
- ftp://cs.ucr.edu/pub/
-
- This site contains digests of the mailing list, 1988-present.
- In addition, there is a directory containing anti-virus tools.
-
- Back digests of the virus-l mailing list 1988-1993 are also
- available from
-
- ftp://info.cert.org/pub/virus-l/
-
-
- (b) comp.virus
-
- The comp.virus newsgroup is a moderated newsgroup.
- For more information, including a copy of the posting
- guidelines, see
-
- ftp://info.cert.org/pub/virus-l/virus-l.README
-
- Note: The CERT Coordination Center focuses primarily on
- vulnerabilities in networked systems that intruders can
- exploit. Viruses, though they may be transmitted over a
- network, are generally outside the current scope of our
- work. However, we are interested in hearing reports of
- UNIX or other mainframe viruses and about worms that could
- propagate via the Internet.
-
-
- B10. What other online sources does the CERT Coordination
- Center recommend?
-
- (a) USENET newsgroups
-
- The archive of FAQs for USENET groups can be a good source of
- information. These FAQs are available from
-
- http://www.cis.ohio-state.edu/hypertext/faq/usenet/FAQ-List.html
-
-
- Among the security related newsgroups are the following:
-
- (1) comp.security.announce
-
- The comp.security.announce newsgroup is moderated
- and is used solely for the distribution of CERT
- advisories.
-
- (2) comp.security.misc
-
- The comp.security.misc newsgroup is a forum for the
- discussion of computer security, especially as it relates
- to the UNIX operating system.
-
- (3) alt.security
-
- The alt.security newsgroup is also a forum for the
- discussion of computer security, as well as other security
- topics (such as car locks and alarm systems).
-
- (4) comp.virus
-
- The comp.virus newsgroup is a moderated newsgroup with
- a focus on computer virus issues.
-
- (5) comp.risks
-
- The comp.risks newsgroup is a moderated forum on the
- risks to the public in computers and related systems.
-
- (b) Mailing lists
-
- A list of publicly accessible mailing lists is available from
-
- http://www.neosoft.com/internet/paml/
-
- (c) NIST (National Institute of Standards and Technology) Computer
- Security Bulletin Board
-
- Information posted on the bboard includes an events calendar,
- software reviews, publications, bibliographies, lists of
- organizations, and other government bulletin board numbers. This
- bboard contains no sensitive (unclassified or classified)
- information.
-
- If you have any questions, contact NIST by phone at
- 301-975-3359; by FAX at 301-590-0932; or by email at
- csrc@csrc.ncsl.nist.gov.
-
- NIST also has a web site at
- http://cs-www.ncsl.nist.gov
-
- (d) Web pages
-
- New information is constantly being made available online,
- particularly on the World Wide Web. If you have access to a
- web browser or other search engine, we urge you to query for
- security-related topics.
-
-
- B11. What books or articles does the CERT Coordination Center
- recommend?
-
- [Bishop 87] Bishop, Matt. "How to Write a Setuid Program."
- ;login: 12, 1 (Jan/Feb 1987): 5-12.
-
- [Cheswick 94] Cheswick, William R.; Bellovin, Steven M.
- Firewalls and Internet Security: Repelling the Wily
- Hacker. New York: Addison-Wesley Publishing Company,
- 1994.
-
- [Curry 90] Curry, Dave. "Improving the Security of Your
- UNIX System" (Technical Report ITSTD-721-FR-90-21).
- Menlo Park, CA: SRI International, April 1990.
-
- [Curry 92] Curry, David A. UNIX System Security: A Guide for
- Users and System Administrators. Reading, MA:
- Addison-Wesley Publishing Co., Inc., 1992.
- (ISBN 0-201-56327-4)
-
- [Denning 91] Denning, Peter J., ed. Computers Under Attack:
- Intruders, Worms, and Viruses. ACM Press, New York:
- Addison-Wesley Publishing Company, Inc., 1990.
- (ISBN 0-201-53067-8)
-
- [Ellis 94] Ellis, Jim; Fraser, Barbara; Pesante, Linda. "Keeping
- Internet Intruders Away." UNIX Review 12, 9 (September
- 1994): 35-44.
-
- [Farrow 91] Farrow, Rik. How to Protect Your Data and Prevent
- Intruders: UNIX System Security. Reading, MA:
- Addison-Wesley Publishing Company, Inc., 1991.
- (ISBN 0-201-57030-0)
-
- [Fithen 94] Fithen, Katherine; Fraser, Barbara. "CERT Incident
- Response and the Internet." Communications of the ACM
- 37, 8 (August 1994): 108-113.
-
- [Garfinkel and Spafford 91]
- Garfinkel, Simson; Spafford, Gene. Practical UNIX
- Security. Sebastopol, CA: O'Reilly & Associates, Inc.,
- [1994] c1991. (ISBN 0-937175-72-2)
-
- [Grampo and Morris 84]
- Grampo, M.; Morris, R.T. "UNIX Operating System
- Security." AT&T Technical Journal 63, 8 (Oct 1984):
- 1649-1672.
-
- [Hafner and Markoff 91]
- Hafner, Katie; Markoff, John. Cyberpunk: Outlaws
- and Hackers on the Computer Frontier. New York:
- Simon & Schuster, 1991.
-
- [Morris and Thompson 79]
- Morris, R.T.; Thompson, K. "Password Security:
- A Case History." Communications of the ACM 22, 11
- (November 1979): 594-597.
-
- [Nemeth, Snyder, and Seebass 89]
- Nemeth, Evi; Snyder, Garth; Seebass, Scott.
- UNIX System Administration Handbook. Englewood
- Cliffs, NJ: Prentice Hall, 1989. (ISBN 0-13-933441-6)
-
-
- [Stoll 89] Stoll, Clifford. The Cuckoo's Egg: Tracking a
- Spy Through the Maze of Computer Espionage.
- New York, NY: Doubleday, 1989. (ISBN 0-385-24946-2)
-
- [Wood and Kochran 86]
- Wood, Patrick; Kochran, Stephen. UNIX System
- Security. Hasbrouck Heights, NJ: Haden Books, 1986.
-
-
- =======================================================================
- = Section C. Incident Response =
- =======================================================================
-
- C1. What kind of information should I provide to the CERT staff when my
- site has had an intrusion?
-
- The CERT Coordination Center would like as much information as
- possible, including opinions and thoughts as to how the break-in
- occurred. Some specifics include:
-
- 1) names of host(s) compromised at your site
-
- 2) account name(s) compromised
-
- 3) architecture and OS (operating system and revision)
- of compromised host(s)
-
- 4) whether or not security patches have been applied
- to the compromised host(s); if so, were patches
- applied before or after the intrusion
-
- 5) other host(s)/site(s) involved in the intrusion and
- whether or not you have already contacted those
- site(s) about the intrusion
-
- 6) if other site(s) have been contacted, the contact
- information used for contacting the site(s)
- involved
-
- 7) if CERT staff members are to contact the other site(s),
- may we give the other sites your contact information
- (i.e., your name, email address, and phone number)
-
- 8) whether or not any law enforcement agencies have
- been contacted
-
- 9) appropriate log extracts (including timestamps)
-
- 10) what assistance you would like from the CERT
- Coordination Center
-
-
- Incident reporting form
-
- The CERT staff has developed an incident reporting form in an effort
- to facilitate our interaction with members of the Internet community.
- Note that our policy is to keep confidential any information you
- provide unless we receive your permission to release that information.
- The form is located at
-
- ftp://info.cert.org/pub/incident.reporting.form
-
-
- Copyright 1995 Carnegie Mellon University
-
- This material may be reproduced and distributed without permission provided it
- is used for noncommercial purposes and the copyright statement is included.
-
- CERT is a service mark of Carnegie Mellon University.
-
- The CERT Coordination Center is sponsored by the Advanced Research Projects
- Agency (ARPA). The Software Engineering Institute is sponsored by the U.S.
- Department of Defense.
-